Mobile Threat Blog

Share

Security Implications of BYOD in The White House

Many have voiced security concerns over President Donald Trump’s abundant Twitter use. Security veterans are mainly concerned about Trump being vulnerable to phishing attacks, such as clicking on the shortened URLs of the tweets, or an attacker taking over his Twitter account and impersonating the president. When Donald Trump took office, it was said that the he had traded in his Android device for a Secret Service-approved encrypted handset. This news made security experts sigh in relief. However, it seems that the relief was short lived.

New claims have emerged that President Trump is still using his old, unsecured Android device, forgoing his officially issued device and opting for BYOD (Bring Your Own Device). We see this phenomenon all too often in the enterprise, but what are the security implications of the most powerful man in the world heavily using an unsecured, unmonitored, and unmanaged device?

Appthority would like to highlight some of the risky scenarios of Trump’s personal Twitter account use on an unsecured Android device.

Based on our analysis, the Twitter app has the ability to record videos, photos and voices. Twitter can also track a user’s location while running in the background and prevent devices from locking the screen. The information collected by Twitter might be very valuable to a would-be attacker, and puts a huge target on Twitter servers from malicious third parties trying to get access to the information.

Further, unknown to most users, Twitter contains a feature called App Graph, which collects a list of other installed apps on the device and uses them to send relevant tweets or accounts to the user. Thus, if Twitter has been hacked, an attacker may also get a list of apps installed on Trump’s device and further exploit these apps with either known or zero day vulnerabilities.

Twitter’s bug bounty program aims to address vulnerabilities ranging from Remote Code Execution, Significant Authentication Bypass and Cross-Site Scripting attacks. These vulnerabilities create a risk of powerful attacks because they may allow an attacker to get data collected from the Twitter app or have unauthorized access to protected tweets.

Scary Scenario Two: Beyond Twitter, President Trump faces risks from the use of an unsecured Android device

More worrying than Trump’s use of a personal Twitter account is his use of an old, unsecured device. Although the President was allegedly issued an encrypted Secret Service-approved device, Trump has apparently opted to use his old Android device instead. Talk about BYOD.

Once news broke that President Trump is using an old Android device, Android experts immediately speculated about which device it could be, and identified the device as a Samsung Galaxy S3, a device that is almost 5 years old. If Trump’s personal device is indeed a Galaxy S3, then it’s time to sound the cyber alarms; that handset model received its latest (and final) software update in mid-2015 with an out of date firmware based on a far less secure OS, Android 4.3 Jelly Bean.

This may mean that Trump’s mobile device is at least three years out of date in terms of Android security updates and patches. There have been scores of pretty serious security and privacy vulnerabilities discovered and patched since then, which the device would still be vulnerable to.

For example, in 2014, it was discovered that at least nine different models of Samsung smartphones (including the Samsung Galaxy S3 in question) could be remotely exploited due to a software-based backdoor. This vulnerability allowed attackers to remotely steal files and location data as well as to covertly activate the microphone and camera.

Thus, if President Trump really uses a Galaxy S3, it would be trivial for an attacker to remotely activate the microphone and listen in to any conversations Trump is having at the White House. If that doesn’t send chills down your back, we don’t know what will.

Conclusion

During Trump’s presidential campaign, he put a lot of emphasis on his opponent’s irresponsible use of a personal email server, and invited his supporters to chant “Lock her up!”. Perhaps it’s time to modify that phrase and update it to “Lock it up!”. With the constant rise in mobile related cyber threats, we urge the President to give up his unsecured personal device and employ better mobile security techniques. If his administration needs any help, the experts at Appthority are just a phone call, or a tweet away. (@Appthority).